Re: Query regarding setool --policy

Mon, 11 Mar 2013 10:17:54 -0700 

On 03/11/2013 12:49 PM, Richard Haines wrote:

I've been using setool to generate entries for the mac_permissions file
and come across a minor problem when using "setool --policy ..." with
4.2.2.

I generate an entry as Example 1 and add it to mac_permissions.xml.
I then run setool --policy as Example 2, but it states the app would
be rejected.
However I installed the updated mac_permissions.xml file and run Android
with MMAC enforcing - The app works correctly (if I remove a permission
the app fails to load - which is also correct).

Does setool --policy just check the <default> entries, or am I missing
something ??


Try using the generated mac_permissions.xml file instead, i.e.
setool --policy out/target/product/<device>/system/etc/security/mac_permissions.xml ...
The source mac_permissions.xml file no longer contains the full signature string but only a symbolic tag that is expanded during build based on external/sepolicy/keys.conf. 




Example 1 - Generate an entry and add it to the mac_permissions.xml file:
setool --seinfo demo --build whitelist SEAndroidDemo.apk
<signer signature="---Removed key value for this email----">
   <package name="com.example.seandroiddemo">
     <allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
     <allow-permission name="android.permission.SEND_SMS" />
     <allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
     <allow-permission name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" 
/>
     <seinfo value="demo" />
   </package>
</signer>

Example 2 - Now check if the app will pass:
setool --policy external/sepolicy/mac_permissions.xml SEAndroidDemo.apk
Default policy stanza used.
Policy blacklist rejected package com.example.seandroiddemo
Denied permission android.permission.WRITE_EXTERNAL_STORAGE
Set of blacklisted permissions is:
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.AUTHENTICATE_ACCOUNTS
android.permission.CALL_PHONE
android.permission.CAMERA
android.permission.READ_LOGS
android.permission.WRITE_EXTERNAL_STORAGE



--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.

Reply via email to